Paul Hardwick: Alerts

Google's Blog Software Hijacked by Scammers.

Sun, 18 Mar 2007 02:58:36 GMT

Google's Blog Software Hijacked by Scammers. Google's blogger.com is being hijacked to spread malware through fake blogs, a security vendor warns. [PC World: Latest Technology News]

Hackers Promise Month of MySpace Bugs.

Sun, 18 Mar 2007 01:58:02 GMT

Hackers Promise Month of MySpace Bugs. They won't divulge their real names, they call their project a "whiny, attention-seeking ploy," and they appear to take their fashion cues from Beastie Boys music videos. [PC World: Latest Technology News]

Administrivia: Possible unscheduled upgrade of Privacy Digest

Sun, 18 Mar 2007 01:39:04 GMT

Administrivia: Possible unscheduled upgrade of Privacy Digest.

I might be implementing an unscheduled upgrade of the site due to some problems with the software I am currently using to run the site. I had been working on upgrading the software to implement some new features but may have to implement sooner than originally planned. If you would like to take a peek at the planned software take a visit to http://www.PrivacyDigest.com/index.php Yes the full URL will have to be entered until I have completed the switch over.

There may be some hiccups during the process as the XML/RSS location will change along with access to the sub-topics. I plan to create mod-rewrite rules to take of this but they may not all be ready on day one.

Please let me know what you think.

Your Clickstream Data: 40 cents; Losing Your Privacy: Priceless.

Sun, 18 Mar 2007 01:15:54 GMT

Your Clickstream Data: 40 cents; Losing Your Privacy: Priceless.

Adam Fields points to this disturbing revelation that ISPs are apparently selling their customer[base ']s clickstream data. The guilty ISPs apparently took the same [base "]anonymization[per thou] seminar as AOL, merely replacing user names with User 1, User 2, etc.

And what kind of price are they charging for such a violation of user[base ']s privacy? About 40 cents a month per user. Unbelievable.

[michaelzimmer.org]

Careful What You Search For..... LIVE WEBCAST

Fri, 16 Mar 2007 19:43:39 GMT

Careful What You Search For..... LIVE WEBCAST
(Source: Oracle) Security is the greatest single issue for IT groups today. IT must balance how to enable people to find the information they need to do their work, and at the same time protect the information they should not access. See how Oracle Secure Enterprise Search enables two organizations to deliver secure, low-cost, and easy-to-deploy search solutions that eliminate information overload, and are as easy to use as popular Internet search engines. [Computerworld Privacy News]

FT.com - Web censorship spreading globally

Fri, 16 Mar 2007 19:14:16 GMT

Internet censorship is spreading rapidly, being practised by about two dozen countries and applied to a far wider range of online information and applications, according to research by a transatlantic group of academics.

The warning comes a week after a Turkish court ordered the blocking of YouTube to silence offensive comments about Mustafa Kemal Ataturk, the founder of modern Turkey, marking the most visible attack yet on a website that has been widely adopted around the world.

A recent six-month investigation into whether 40 countries use censorship shows the practice is spreading, with new countries learning from experienced practitioners such as China and benefiting from technological improvements.

OpenNet Initiative, a project by Harvard Law School and the universities of Toronto, Cambridge and Oxford, repeatedly tried to call up specific websites from 1,000 international news and other sites in the countries concerned, and a selection of local-language sites.

The research found a trend towards censorship or, as John Palfrey, executive director of Harvard Law School's Berkman Center for Internet and Society, said, "a big trend in the reverse direction", with many countries recently starting to adopt forms of online censorship.

Ronald Deibert, associate professor of political science at the University of Toronto, said 10 countries had become "pervasive blockers", regularly preventing their citizens seeing a range of online material. These included China, Iran, Saudi Arabia, Tunisia, Burma and Uzbekistan.

New censorship techniques include the periodic barring of complete applications, such as China's block on Wikipedia or Pakistan's ban on Google's blogging service, and the use of more advanced technologies such as "keyword filtering", which is used to track down material by identifying sensitive words.

Methods such as these are being copied as countries new to censorship learn from those with more experience. "There's a growing awareness of best practice - or rather, worst practice," Mr Deibert said.

Web Censorship on the Increase.

Fri, 16 Mar 2007 19:10:15 GMT

Web Censorship on the Increase. mid-devonian writes "Close on the heels of the temporary blocking of YouTube by a Turkish judge, a group of academics has published research showing that Web censorship is on the increase worldwide. As many as two dozen countries are blocking content using a variety of techniques. Distressingly, the most censor-heavy countries (which includes China, Iran, Saudi Arabia, Tunisia, Burma and Uzbekistan) seem to be passing on their technologically sophisticated techniques to other areas of the world. 'New censorship techniques include the periodic barring of complete applications, such as China's block on Wikipedia or Pakistan's ban on Google's blogging service, and the use of more advanced technologies such as 'keyword filtering', which is used to track down material by identifying sensitive words.'" [Slashdot: Your Rights Online]

PATRIOT Act Apologist Site Didn't Get the Memo.

Fri, 16 Mar 2007 18:45:28 GMT

PATRIOT Act Apologist Site Didn't Get the Memo.

Last week, the Department of Justice Inspector General's office released a damning report documenting the FBI abusing its powers under the PATRIOT Act and violating the law to collect Americans' telephone, Internet, financial, credit, and other personal records about Americans without judicial approval.

It appears that not everyone at the DOJ got the memo. The DOJ's Life and Liberty website, a site dedicated to defending the honor of the PATRIOT Act during the re-authorization process last spring, still reads as if nothing has changed. Particularly in the light of the newly revealed truth, many of the quotes now seem (at best) naive.

Under the headline of "Examining the Facts", the DOJ asserts that PATRIOT has "four-year track record with no verified civil liberties abuses." The site quotes an op-ed by former House Judiciary Committee Chairman James Sensenbrenner:

Zero. That's the number of substantiated USA PATRIOT Act civil liberties violations. Extensive congressional oversight found no violations. Six reports by the Justice Department's independent Inspector General, who is required to solicit and investigate any allegations of abuse, found no violations.

Wow, that sure sounds good. Unfortunately, the new report reveals that is is simply not true: the inspector general identifies dozens of instances in which extra-judicial demands for personal information -- known as National Security Letters -- may have violated laws and agency regulations.

In the Archive section, the site includes quotes from an op-ed by Senator Pat Roberts responding to critics like ourselves:

I regret to say it, but the rhetoric of those opposed to permanently authorizing the act has no substance and borders on paranoia. Opponents have criticized the act for years but can cite only hypothetical abuses. Facts are stubborn things. The actual record is quite clear - there have been no substantiated allegations of abuse of Patriot Act authorities, period.

Critics could only point to hypothetical abuses because the fox was guarding the hen house. Senator Roberts also opined that:

Through aggressive congressional oversight, we know the FBI uses Patriot Act authorities within the law.

It's now clearer than ever that the oversight was not aggressive enough, with the report documenting that the FBI decieved Congress about its use of the letters. The report is likely only the tip of the iceberg. Immediate and thorough oversight hearings are necessary to uncover the truth and hold the Administration accountable.

Tell Congress to defend your privacy now.

[EFF: Deep Links]

Core Security | CoreLabs - OpenBSD's IPv6 mbufs remote kernel buffer overflow

Thu, 15 Mar 2007 19:42:23 GMT

Vulnerability Description

The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:

1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;

2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)

The issue can be triggered by sending a specially crafted IPv6 fragmented packet.

OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration.

Remote Exploit Discovered for OpenBSD.

Thu, 15 Mar 2007 19:39:14 GMT

Remote Exploit Discovered for OpenBSD. An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible." [Slashdot]

New Fraudulent Adware Uses Rootkit Techniques.

Thu, 15 Mar 2007 19:16:48 GMT

New Fraudulent Adware Uses Rootkit Techniques. "Under no circumstances should users download applications through pop-up ads, or shortcuts that suddenly appear on the desktop." [GT: Security and Privacy]

Four Colorado Counties Placed on Election Watch List.

Wed, 14 Mar 2007 20:04:05 GMT

Four Colorado Counties Placed on Election Watch List. Errors with voting machines, delays in voting, inadequate security cited. [GT: Security and Privacy]

Latest ID-Theft Worry? Copiers.

Wed, 14 Mar 2007 19:55:53 GMT

Latest ID-Theft Worry? Copiers. Digital photocopiers use hard drives to store data. If not properly secured, they can be vulnerable to data thieves. By the Associated Press. [Wired News: Security Blanket]

Medical data on Blue Cross members may be lost | CNET News.com

Wed, 14 Mar 2007 19:45:41 GMT

WellPoint, one of the nation's largest health insurers, has begun notifying 75,000 members of its Empire Blue Cross and Blue Shield unit in New York that a CD holding their vital medical and other personal information has disappeared.

The information was on an unencrypted disc that a subcontractor recently sent to Magellan Behavioral Services, a company in Avon, Conn., that specializes in monitoring and coordinating mental health and substance abuse treatments for insurance companies.

Empire began notifying the affected consumers by mail on Saturday that their records--including their names, Social Security numbers, health plan identification numbers and description of medical services back to 2003--had been lost.

[...]

Before shipping the information to Magellan, the coding and passwords that protect the privacy of the information was removed by a Magellan subcontractor, Lisa Ann Greiner, an Empire spokeswoman, said Tuesday.

Janlori Goldman, the director of the Health Privacy Center, a nonprofit organization in Washington, said the error was an "egregious breach of privacy." She said that insurance companies were responsible under a federal privacy law for ensuring that their contractors use adequate security procedures.

Greiner said that the subcontractor, Health Data Management Services, worked for Magellan, not Empire. "If any contract was breached, we are going to take direct action," she said.

Apple Releases a Bushel of Software Patches.

Wed, 14 Mar 2007 15:35:07 GMT

Apple Releases a Bushel of Software Patches.

Today turned out to be "Patch Tuesday" after all, only the security updates were released by Apple instead of Microsoft.

Apple issued security updates to plug at least 46 separate security holes in its operating system and other software. The updates are available through Apple's site or via the built-in Software Update feature.

Nearly one-third of the fixes mend flaws outlined in the controversial Month of Kernel Bugs and Month of Apple Bugs projects from November 2006 and January 2007, respectively. Also included was a patch for a serious flaw in Apple's Software Update application.

A number of the patches address third-party applications built for use on Mac OS X and Mac OS X Server systems. Today's bundle fixes at least seven bugs in the MySQL database software, and two flaws in OpenSSH, a tool used to encrypt online communications. Other programs patched in this release include iPhoto, QuickDraw, and Adobe's Flash Player.

[Security Fix]

EFF: Paper: Who Controls Your Television?

Tue, 13 Mar 2007 20:46:30 GMT

Today, consumers can digitally record their favorite television shows, move recordings to portable video players, excerpt a small clip to include in a home video, and much more. The digital television transition promises innovation and competition in even more great gadgets that will give consumers unparalleled control over their media.

But an inter-industry organization that creates television and video specifications used in Europe, Australia, and much of Africa and Asia is laying the foundation for a far different future -- one in which major content providers get a veto over innovation and consumers face draconian digital rights management (DRM) restrictions on the use of TV content. At the behest of American movie and television studios, the Digital Video Broadcasting Project (DVB) is devising standards to ensure that digital television devices obey content providers' commands rather than consumers' desires. These restrictions will take away consumers' rights and abilities to use lawfully-acquired content so that each use can be sold back to them piecemeal.

Consumers would never choose this future, so Hollywood will try to force it on them by regulatory fiat. DVB's imprimatur may put restrictive standards on the fast-track to becoming legally-enforced mandates, and existing laws already limit evasion of DRM even for lawful purposes. In effect, private DRM standards will trump national laws that have traditionally protected the public's interests and carefully circumscribed copyright holders' rights.

Hollywood has long pursued this goal in the U.S., but its schemes in DVB have taken place behind the public's back and outside of scrutiny by elected officials. In this paper, we will summarize and expose Hollywood's plan.

The Electronic Frontier Foundation (EFF) is the only public interest group to have attended DVB's closed technical meetings. As a condition of participation, DVB imposed restrictions on our ability to report on these meetings. Now, after key parts of DVB's new DRM specification have been sent to the European standards body and may soon be provided to other EU regulators, we are releasing this paper to help consumer organizations and EU regulators understand the significant public policy implications of various DVB work items.

CPCM: A System to Control Innovation, Competition, and Television Viewers

Despite record profits in recent years, American movie and television studios have not relented in their cries that new technologies are a mortal threat to their industry. They sued to block the VCR and the first mass-market Digital Video Recorder (DVR) in the U.S., and, having failed to stamp out recording in those efforts, they have increasingly turned to creating restrictive technical standards backed by law.

Action Alert: Reform the PATRIOT Act and Stop the Abuse of Surveillance Powers!

Tue, 13 Mar 2007 20:28:38 GMT

Action Alert: Reform the PATRIOT Act and Stop the Abuse of Surveillance Powers!

The FBI has blatantly abused a key PATRIOT Act provision and knowingly violated the law to spy on Americans' telephone, Internet, and other personal records, as documented in a report recently released by the Justice Department. Congress must rein in this egregious behavior, but it can't stop there -- the Bush Administration's unprecedented pattern of disregarding the law stretches far beyond the examples in this report. Tell Congress to defend your privacy now.

Before PATRIOT, the FBI could use so-called National Security Letters only for securing the records of suspected terrorists or spies. But under PATRIOT the FBI can use them to get private records about anybody without any court approval as long as it believes the information could be relevant to an authorized terrorism or espionage investigation.

According to the Justice Department's Inspector General, the FBI's misuse of its authority included issuing NSLs to spy on people who weren't the subject of any existing investigation whatsoever. The FBI also lied to Congress and underreported its use of NSLs by many thousands. Worse still, the FBI has ignored its own lawyers' advice and intentionally evaded PATRIOT's thin bounds, improperly requesting and obtaining personal records through so-called "exigent letters" that Congress never authorized.

That's only a sampling of the horror story painted by the report, and, had Congress not ordered the Inspector General to review the FBI's activities last year, these abuses might have never been revealed. From the moment PATRIOT was passed, we said the NSL power was ripe for abuse and unconstitutional, and it's clearer than ever that Congress should repeal PATRIOT's expansion of NSL powers and reform the PATRIOT Act as a whole.

Moreover, Congress must broadly investigate the Administration's use of surveillance powers, including the NSA's massive and illegal domestic spying program. Congress and the American public have been kept in the dark about such clear violations of the law and Americans' privacy for far too long. Immediate and thorough oversight hearings are necessary to uncover the truth and hold the Administration accountable.

Take action now.

[EFF: Deep Links]

CDT Opposes Bill Expanding Pentagon Domestic Data Mining.

Tue, 13 Mar 2007 20:07:21 GMT

CDT Opposes Bill Expanding Pentagon Domestic Data Mining. CDT and other civil liberties groups are urging Congress to reject legislation that would exempt the Department of Defense from a key provision of the Privacy Act. The little-noticed amendment, already included in the Senate version of the Intelligence Authorization Act, would permit government agencies to disclose information on US citizens to the Defense Department. Such language could pave the way for entire databases of information to be transferred to the Defense Department without a clear purpose -- in turn opening the door to greater data mining by military agencies. [Center for Democracy and Technology]

CDT Calls for Reform of National Security Letters.

Tue, 13 Mar 2007 20:04:02 GMT

CDT Calls for Reform of National Security Letters. CDT is calling on Congress to require judicial approval of FBI efforts to access the sensitive records of US citizens. Recent revelations regarding violations in the use of so-called "national security letters" have shown that no matter how many internal controls the FBI adopts, self-certification in not sufficient when the government is obtaining the sensitive financial and communications records of citizens. CDT believes Congress should reform the law and adopt a reasonable system of judicial checks and balances. [Center for Democracy and Technology]

EFF Kills Bogus Clear Channel Patent.

Tue, 13 Mar 2007 19:55:43 GMT

EFF Kills Bogus Clear Channel Patent.

Patent Busting Project Wins Victory for Artists and Innovators

San Francisco - The U.S. Patent and Trademark Office (PTO) has announced it will revoke an illegitimate patent held by Clear Channel Communications after a campaign by the Electronic Frontier Foundation (EFF).

The patent covered a system and method of creating digital recordings of live performances. Clear Channel claimed the bogus patent created a monopoly on all-in-one technologies that produce post-concert digital recordings and threatened to sue those who made such recordings. This locked musical acts into using Clear Channel technology and blocked innovations by others.

However, EFF's investigation found that a company named Telex had in fact developed similar technology more than a year before Clear Channel filed its patent request. EFF -- in conjunction with patent attorney Theodore C. McCullough and with the help of Lori President and Ashley Bollinger, students at the Glushko-Samuelson Intellectual Property Clinic at American University's Washington College of Law -- asked the PTO to revoke the patent based on this and other extensive evidence.

"Bogus patents like this one are good examples of what's wrong with the current patent system," said EFF Staff Attorney Jason Schultz. "We're glad that the Patent Office was willing to help artists and innovators out from under its shadow."

The Clear Channel patent challenge was part of EFF's Patent Busting Project, aimed at combating the chilling effects bad patents have on public and consumer interests. The Patent Busting Project seeks to document the threats and fight back by filing requests for reexamination against the worst offenders.

"The patent system plays a critical role in business and the economy," said McCullough. "Everyone loses if we allow overreaching patent claims to restrict the tremendous benefits of new software and technology development."

For the notice from the Patent Office:
http://www.eff.org/patent/wanted/clearchannel/notice_of_intent_to_cancel.pdf

For more on EFF's Patent Busting Project:
http://www.eff.org/patent

Contacts:

Jason Schultz
Staff Attorney
Electronic Frontier Foundation
jason@eff.org

Theodore C. McCullough
Registered Patent Attorney
theo702000@yahoo.com

[EFF: Breaking News]

American Studios' Secret Plan to Lock Down European TV Devices.

Tue, 13 Mar 2007 19:53:46 GMT

American Studios' Secret Plan to Lock Down European TV Devices.

EFF Exposes Standards Jeopardizing Innovation and Consumer Rights

San Francisco - An international consortium of television and technology companies is devising draconian anti-consumer restrictions for the next generation of TVs in Europe and beyond, at the behest of American entertainment giants.

The Electronic Frontier Foundation (EFF) is the only public interest group to have gained entrance into the secretive meetings of the Digital Video Broadcasting Project (DVB), a group that creates the television and video specifications used in Europe, Australia, and much of Asia and Africa. In a report released today, EFF shows how U.S. movie and television companies have convinced DVB to create new technical specifications that would build digital rights management technologies into televisions. These specifications are likely to take away consumers' rights, which will subsequently be sold back to them piecemeal -- so entertainment fans will have to pay again and again for legitimate uses of lawfully acquired digital television content.

"DVB is abetting a massive power grab by the content industry, and many of the world's largest technology companies are simply watching," said Ren Bucholz, EFF Policy Coordinator, Americas. "This regime was concocted without input from consumer rights organizations or public interest groups, and it shows."

Despite recent record profits, American movie and television studios insist that new technologies could ruin their industry. In past battles against innovation, these same studios sued to block the sale of the VCR and the first mass-marketed digital video recorder in the U.S. Having failed in those efforts, they have now turned to creating technical standards that, when backed by law, are likely to restrict consumers' existing rights and threaten the future of technological innovation.

With DVB, the plan begun by entertainment companies in the U.S. has now gone global. EFF's report is aimed at alerting European consumer groups and consumers about the dangers posed by the proposed standards and providing informational resources for European regulators.

"DVB members' active indifference, even hostility, to user rights is shameful," said EFF Staff Technologist Seth Schoen. "When American studios ask for regulatory support for restrictions pushed through the DVB Project, public officials must stand up for consumer rights, sustain competition and innovation, and tell Hollywood to back off."

For the full report:
http://www.eff.org/IP/DVB/dvb_briefing_paper.php

EFF's 2005 Submission to the U.K. Department of Media, Sports and Culture:
http://www.eff.org/IP/DVB/dvb_critique.php

Contacts:

Ren Bucholz
Policy Coordinator, Americas
Electronic Frontier Foundation
ren@eff.org

Seth Schoen
Staff Technologist
Electronic Frontier Foundation
seth@eff.org

[EFF: Breaking News]

Don't Let OneCare Eat Your Email - AppScout

Sun, 11 Mar 2007 19:08:23 GMT

Whenever a program gets wide distribution there are bound to be some users who, rightly or wrongly, feel it has caused them pain. Sometimes it's a case of post hoc ergo propter hoc (Latin for "the hog was here, so the hog did it"). Other times there really is a problem, perhaps due to an unusual configuration or a compatibility problem with some less-common applications. But it's rare that the problem is as serious and the response as limited as in this case.

A reader brought to my attention a thread in Microsoft's discussion forums for Windows OneCare titled "Outlook and Outlook Express Mail Store Missing or Quarantined". The thread started with a message in January and it's still running today, with no clear resolution. In brief, if you get a virus in an email message received by Outlook, OneCare's next virus sweep may quarantine or delete your entire email store. If you receive a virus via Outlook Express OneCare may quarantine or delete the entire folder containing the virus. Really!

As the thread goes on, more and more users weigh in reporting the problem. Moderators attempt soothing responses like "Obviously, the action by OneCare is undesirable. However, you can ... exclude the Outlook PST file" and "I know it won't make you feel any better, but you're all really helping to make OneCare a better program for everyone" and "You never want email scanned on the way in or out of the system as it causes more problems than it fixes." At one or two points the moderators announce a fix, but the problem reports keep coming in. One moderator mused that this had been a problem in the beta of OneCare 1.0, but he hadn't seen it since then. Another suggested that version 1.5 may have been coded from the wrong "code branch" of the base 1.0/1.1 version. Hmm....

Windows Live OneCare Can Eat Your Email.

Sun, 11 Mar 2007 19:04:30 GMT

Windows Live OneCare Can Eat Your Email. FutureDomain writes in to point us to a blog sponsored by PC Magazine, reporting about another problem with Windows Live OneCare. Apparently, it sometimes deletes the entire Outlook or Outlook Express .PST mailbox when it finds a virus in one of the messages. The only solution is to tell OneCare to exclude the entire Outlook mailbox. This is the software that came in last in antivirus tests. The trail of tears is ongoing over on the Microsoft forums. [Slashdot]

SSL optimization over the WAN needs scrutiny - Network World

Sun, 11 Mar 2007 17:45:40 GMT

Rather than passing through SSL sessions between clients and servers located in remote data centers, some WAN optimization gear can terminate the SSL sessions, shrink the traffic and re-encrypt it for the next leg of the trip. These chains of encrypted sessions introduce potential vulnerabilities that different vendors address in different ways.

SSL traffic represents a growing percentage of total traffic on WAN links, according to Forrester Research. So SSL support in WAN optimization appliances will become more important to businesses that want to keep traffic secure while minimizing the size of their WAN links.

In a survey last month of 1,300 IT executives by WAN-optimization vendor Blue Coat Systems, one-third of respondents said that 25% of their WAN traffic is SSL. And of those surveyed, 45% plan to roll out more SSL applications this year.

About a third of all WAN traffic at Richardson Partners Financial Ltd. in Toronto is SSL, says Andrew McKinney, director of technical services for the firm. But if only the urgent business traffic is considered, the percentage is much higher. "For critical business traffic, it's all encrypted," he says. So he uses Blue Coat Systems gear to secure traffic and optimize it for good performance.

SSL Optimization Over WAN Needs Scrutiny.

Sun, 11 Mar 2007 17:41:59 GMT

SSL Optimization Over WAN Needs Scrutiny. coondoggie writes with word of the expansion of WAN optimization appliances to handle SSL traffic and the security concerns this brings up. From the article: "With more and more WAN optimization vendors extending their capabilities to include encrypted traffic, corporate IT executives have a decision to make: Should they trust the security these devices provide? Rather than passing through SSL sessions between clients and servers located in remote data centers, some WAN optimization gear can terminate the SSL sessions, shrink the traffic, and re-encrypt it for the next leg of the trip. These chains of encrypted sessions introduce potential vulnerabilities that different vendors address in different ways. SSL traffic represents a growing percentage of total traffic on WAN links, according to Forrester Research. So SSL support in WAN optimization appliances will become more important to businesses that want to keep traffic secure while minimizing the size of their WAN links."
[Slashdot]

Don't like ID cards? Hand over your passport | the Daily Mail

Sun, 11 Mar 2007 16:56:16 GMT

Anybody who objects to their personal details going on the new "Big Brother" ID cards database will be banned from having a passport.

James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out - but in return they must "forgo the ability" to have a travel document.

With one in every eight people saying they will refuse to sign-up, up to five million adults could effectively be refused permission to leave the country.

Campaigners reacted to Mr Hall's remarks with fury, saying they were yet more evidence of the lurch towards "Big Brother" Britain.

Phil Booth, of the NO2ID group, said: "The idea that ID cards scheme is voluntary, and people can opt-out, is a joke.

"There are all sorts of reasons why people need to travel, not just for holidays. There is work, visiting relatives.

"What are these people supposed to do? It stretches the definition of voluntary beyond breaking point. They will go to any length to get personal information for this huge database. Who knows what will happen to it then?"

No Passport For Britons Refusing Mass Surveillance.

Sun, 11 Mar 2007 16:52:17 GMT

No Passport For Britons Refusing Mass Surveillance. UpnAtom writes "People who refuse to give up their bank records, tax records & details of any benefits they've claimed, and the records of their car movements for the last year, or refuse to submit to an interrogation on whether they are the same person that this mountain of data belongs to -- will be denied passports from March 26th. The Blair government has already admitted that this and other data will be cross-linked so that the Home Office and other officials can spy on the everyday lives of innocent Britons. Britons were already the most spied upon nation in Western Europe -- more so even than Sweden. Data-mining through this unprecedented level of mass-surveillance allows any future British government to leapfrog even countries like China and North Korea." [Slashdot: Your Rights Online]

Big Brother State - An animated short about public surveillance by David Scharf

Sun, 11 Mar 2007 03:06:35 GMT

please also download using Bit Torrent:
(Xvid Version, ca. 50 MB, 768 px x 432 px) ---> CLICK HERE
(Big FLV Version, 55 MB, 768 px x 432 px, use FLV Player to view) ---> CLICK HERE

Check the Internet Archive for other resolutions and formats: CLICK HERE

EFF Calls For Aggressive Congressional Hearings on National Security Letter Misuse.

Sun, 11 Mar 2007 02:52:46 GMT

EFF Calls For Aggressive Congressional Hearings on National Security Letter Misuse.

EFF is calling for Congress to hold aggressive hearings on the FBI's domestic intelligence authority after the release of a Justice Department report [PDF] showing the Bureau abusing its power to collect telephone, Internet, financial, credit, and other personal records about Americans without judicial approval.

Sen. Patrick J. Leahy, D-Vermont, has said the Senate Judiciary Committee will hold hearings into the report's findings. But the widespread abuse detailed in the report requires more than just a cursory examination.

"The Bureau's misuse of its intelligence authority is an ongoing critical problem," said EFF Staff Attorney Marcia Hofmann. "Congress must use its investigative power to find out what's really going on at the FBI -- and then rein in the Bureau's investigative authority to where is was before the USA PATRIOT Act."

In the report, the Justice Department's inspector general identifies four dozen instances in which demands for personal information -- known as National Security Letters -- may have violated laws and agency regulations. The report also found that the Bureau lied to Congress about its use of the letters.

The FBI has had limited authority to issue National Security Letters for many years. However, a controversial provision of the PATRIOT Act greatly expanded the Bureau's ability to use them to gather information about anyone, as long as the agency believes the information could be relevant to a terrorism or espionage investigation.

Today's report follows the inspector general's findings last year that the Bureau had disclosed more than 100 instances of possible intelligence misconduct to the Intelligence Oversight Board in the preceding two years, a number of which were "significant."

In 2005, EFF argued in a friend of the court brief that the FBI's "unfettered authority" to issue National Security Letters "is ripe for abuse." The danger of such abuse has now been documented.

"This is not simply about errors in 'oversight,'" said EFF Senior Staff Attorney Lee Tien. "This is about disregard for the law. For example, FBI terrorism investigators ignored their own lawyers' advice to stop using so-called 'exigent' letters for about two years."

For more information, read the full report from the Justice Department, as well as this brief description of National Security Letters .

[EFF: Deep Links]

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Sun, 11 Mar 2007 02:43:18 GMT

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Greetings. The release of a new report detailing massive FBI abuses of the PATRIOT Act (particularly in regard to National Security Letters), now confirms concerns that I and others have been long expressing about the potential abuse of retained Internet and other data, e.g.:

Sounding the Alarm on Government-Mandated Data Retention

An Open Letter to Google: Concepts for a Google Privacy Initiative

Broad abuses of retained data are now demonstrated to be real, not theoretical, as described in this Washington Post story.

We don't yet really know the full extent of these violations, but what has already been revealed is bad enough as a starting point.

I hope that these events will not only trigger considerable soul-searching by those firms who voluntarily retain user activity data, but also cause a renewed recognition of how broad mandated data retention can facilitate, and inevitably will facilitate, such abuses in the future.

--Lauren--

[Lauren Weinstein's Blog]

Justice: FBI misused Patriot Act powers - Yahoo! News

Fri, 09 Mar 2007 20:34:53 GMT

The FBI improperly and, in some cases, illegally used the USA Patriot Act to secretly obtain personal information about people in the United States, a Justice Department audit concluded Friday.

And for three years the FBI underreported to Congress how often it forced businesses to turn over the customer data, the audit found.

Attorney General Alberto Gonzales, who oversees the FBI, described the problems cited in the report as unacceptable and left open the possibility of criminal charges. He ordered further investigation.

"Once we get that information, we'll be in a better position to assess what kinds of steps should be taken," Gonzales told reporters following a speech to privacy officials.

[...]

The FBI also used so-called "exigent letters," signed by officials at FBI headquarters who were not authorized to sign national security letters, to obtain information. In at least 700 cases, these exigent letters were sent to three telephone companies to get toll billing records and subscriber information.

"In many cases, there was no pending investigation associated with the request at the time the exigent letters were sent," the audit concluded.

In a letter to Fine, Gonzales asked the inspector general to issue a follow-up audit in July on whether the FBI had followed recommendations to fix the problems.

"To say that I am concerned about what has been revealed in this report would be an enormous understatement," Gonzales told the privacy officials. "Failure to adequately protect information privacy simply is a failure to do our jobs."

Senators outraged over the conclusions signaled they would provide tougher oversight of the FBI -- and perhaps limit its power.

"The report indicates abuse of the authority" Congress gave the FBI, said Senate Judiciary Committee Chairman Patrick Leahy (news, bio, voting record), D-Vt. "You cannot have people act as free agents on something where they're going to be delving into your privacy."

The committee's top Republican, Pennsylvania Sen. Arlen Specter (news, bio, voting record), said the FBI appears to have "badly misused national security letters." The senator said, "This is, regrettably, part of an ongoing process where the federal authorities are not really sensitive to privacy and go far beyond what we have authorized."

Sen. Russ Feingold (news, bio, voting record), D-Wis., another member on the panel that oversees the FBI, said the report "proves that 'trust us' doesn't cut it."

The American Civil Liberties Union said the audit proves Congress must amend the Patriot Act to require judicial approval anytime the FBI wants access to sensitive personal information. "The Attorney General and the FBI are part of the problem and they cannot be trusted to be part of the solution," said Anthony D. Romero, the ACLU's executive director.

Audit Finds FBI Abused Patriot Act.

Fri, 09 Mar 2007 20:27:43 GMT

Audit Finds FBI Abused Patriot Act. happyslayer writes to mention that according to Yahoo! News a recent audit shows that the FBI has improperly and in some cases illegally utilized the Patriot Act to obtain information. "The audit by Justice Department Inspector General Glenn A. Fine found that FBI agents sometimes demanded personal data on individuals without proper authorization. The 126-page audit also found the FBI improperly obtained telephone records in non-emergency circumstances. The audit blames agent error and shoddy record-keeping for the bulk of the problems and did not find any indication of criminal misconduct. Still, 'we believe the improper or illegal uses we found involve serious misuses of national security letter authorities,' the audit concludes." [Slashdot]

The Local - 'Big brother' surveillance makes waves in Sweden

Fri, 09 Mar 2007 20:21:39 GMT

A far-reaching wiretapping programme proposed by Sweden's government to defend against foreign threats, including monitoring emails and telephone calls, has stirred up a fiery debate in the past few weeks, with critics decrying the creation of a "big brother" state.

The new legislation, to be presented to parliament on Thursday, would enable the National Defence Radio Establishment (FRA) to tap all Internet and telephone communication in and out of Sweden.

Sweden Admits Tapping Citizens' Phones for Decades.

Fri, 09 Mar 2007 20:18:28 GMT

Sweden Admits Tapping Citizens' Phones for Decades. paulraps writes "Sweden is close to implementing new surveillance legislation that will include the monitoring of emails, telephone calls and keyword searches using advanced pattern analysis. The objective is to detect 'threats such as terrorism, IT attacks or the spread of weapons of mass destruction' but the proposals have divided the country. In a misguided attempt to put people at ease, the government admitted that Sweden has been tapping its citizens' phones for decades anyway." [Slashdot: Your Rights Online]

The Blotter(ABC NEWS) - Exclusive: Report Says FBI Violated Patriot Act Guidelines

Fri, 09 Mar 2007 17:02:02 GMT

The FBI repeatedly failed to follow the strict guidelines of the Patriot Act when its agents took advantage of a new provision allowing the FBI to obtain phone and financial records without a court order, according to a report to be made public Friday by the Justice Department's Inspector General.

The report, in classified and unclassified versions, remains closely held, but Washington officials who have seen it tell ABC News it documents "numerous lapses" and describe it as "scathing" and "not a pretty picture for the FBI."

FBI Director Robert Mueller is scheduled to brief Congress on the report at noon.

The officials say the inspector general found the FBI underreported by at least 20 percent the use of the controversial provision, known as National Security Letters, NSLs, in required disclosures to Congress.

The Patriot Act gave FBI agents the ability to demand telephone, bank, credit card and library records by issuing an administrative letter, bypassing the need to seek a warrant from a federal judge.

Pine Bluff - Scaled-back version of drug database passes Senate

Fri, 09 Mar 2007 16:33:58 GMT

LITTLE ROCK - Scaling back the scope of a statewide database to monitor some prescription drug purchases gained Senate approval of the measure Thursday. The bill's sponsor said the amendments were intended to address concerns about patient privacy.

[...]

By a 20-7 vote, the Senate approved a bill by Sen. Denny Altes, R-Fort Smith, that would allow the state Board of Pharmacy to establish standards for setting up the database on drug purchases. The database would track schedule II and schedule III narcotics, such as morphine or OxyContin.

"I think we've amended this about six times now," Altes said before the vote. "I think these changes should address all the concerns that were raised."

Altes originally called for a database to track virtually all prescription drug purchases in the state. The measure passed by the Senate allows the Board of Pharmacy to set the criteria for the information to be tracked by the database.

Sen. Jim Argue, D-Little Rock, said he still believed the database could be subject to abuse and could harm the privacy of some patients.

"There is no evidence that a database like this works, but there is evidence that databases like this could be violated," Argue said.

Malware with Rootkit Features Grows.

Fri, 09 Mar 2007 16:28:49 GMT

Malware with Rootkit Features Grows. "Rootkit techniques are becoming increasingly popular among malware creators." [GT: Security and Privacy]

Homeland Security Tests Snoop Computer System.

Fri, 09 Mar 2007 16:23:56 GMT

Homeland Security Tests Snoop Computer System. Parallax Blue writes "The Washington Times reports that Homeland Security has developed and is testing a new computer system called ADVISE (Analysis, Dissemination, Visualization, Insight and Semantic Enhancement) that collects and analyzes personal information on US citizens. Relevant data 'can include credit-card purchases, telephone or Internet details, medical records, travel and banking information.' The program apparently uses the same process as the Pentagon's Total Information Awareness project, which was aborted in 2003 due to privacy concerns."

[Slashdot: Your Rights Online]

Crash-Testing a Killer Bot.

Fri, 09 Mar 2007 04:57:23 GMT

Crash-Testing a Killer Bot. Israel rolls out a tiny, Uzi-toting robot. But what happens when the armed equivalent of the Blue Screen of Death occurs? In Danger Room. In Danger Room. [Wired News: Top Stories]

Sweden: Monitor Communications.

Fri, 09 Mar 2007 04:35:34 GMT

Sweden: Monitor Communications. A Swedish government security plan would allow a defense intelligence agency to monitor -- without a court order -- e-mail traffic and phone calls crossing the nation's borders. By the Associated Press. [Wired News: Top Stories]

Homeland Security revives supersnoop - The Washington Times

Thu, 08 Mar 2007 23:21:29 GMT

Homeland Security officials are testing a supersnoop computer system that sifts through personal information on U.S. citizens to detect possible terrorist attacks, prompting concerns from lawmakers who have called for investigations.

The system uses the same data-mining process that was developed by the Pentagon's Total Information Awareness (TIA) project that was banned by Congress in 2003 because of vast privacy violations.

A Government Accountability Office (GAO) investigation of the project called ADVISE -- Analysis, Dissemination, Visualization, Insight and Semantic Enhancement -- was requested by Rep. David R. Obey, Wisconsin Democrat and chairman of the House Appropriations Committee.

The investigation focuses on whether the program violates privacy laws, and the findings will be released after completion of the Iraq war supplemental spending bill, possibly as early as this week, a panel aide said.

The ADVISE and TIA data-mining projects rely on personal data to track individual behavior and consumer transactions to develop computer algorithms that create a pattern that some behavioral scientists say can predict terrorist behavior.

Data can include credit-card purchases, telephone or Internet details, medical records, travel and banking information.

Privacy concerns prompted lawmakers on both sides of the aisle to introduce legislation in January to require that government agencies disclose data-mining practices in regular reports to Congress.

"A serious discussion on the implications of data-mining programs is long overdue," Sen. Russ Feingold, Wisconsin Democrat and a sponsor of the bill, said yesterday. Sen. John E. Sununu, New Hampshire Republican, is also a bill sponsor.

FCW.com News - Census Bureau accidentally exposes personal data

Thu, 08 Mar 2007 23:04:50 GMT

The Census Bureau accidentally posted personal information on 302 households on a public server several times since October 2006, officials said.

The personal information, including names, addresses, phone numbers, birthdates, family income ranges and other demographic data, was contained in a file that was placed on a public server for the purposes of testing new software applications. The file included about 250 fake accounts in addition to the real information. The bureau found out about the mistake when it found the file on the server in mid-February.

heise Security - All Microsoft updates phone home

Thu, 08 Mar 2007 22:54:34 GMT

Possibly as a reaction to heise Security's report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not.

In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date. By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information.

With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself. The WGA package thus, among other things, sends back an event code. To calm the fears of users, alexkoc presents a graphic explaining the various fields of such a data packet.

When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users.

All Microsoft Updates Phone Home.

Thu, 08 Mar 2007 22:49:17 GMT

All Microsoft Updates Phone Home. juct writes "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond." [Slashdot: Your Rights Online]

Vishing: Dialing for Dollars, Part II.

Thu, 08 Mar 2007 22:41:03 GMT

Vishing: Dialing for Dollars, Part II.

Security Fix received a copy of a new scam e-mail targeting Bank of America customers that is likely to con quite a few folks before it is shut down.

Sure, Bank of America is hit by this sort of thing all the time. It's the fourth most popular target for "phishing" scams that use e-mail to lure people into giving away their data at counterfeit sites, according to stats just released by PhishTank. But this is one of the more convincing voice phishing or "vishing" attacks I've seen yet.

Vishing scams start with an e-mail lure that asks the recipient to call a specific 1-800 number to settle some matter with his or her account. The numbers usually are connected to an automated system that asks the caller to key in data from a credit card -- the 16-digit account number, the expiration date and the three-digit security code on the back.

This new Bank of America scam has the same elements, but its execution is nearly flawless (unlike the majority of previous vishing scams Security Fix has seen, which either bungle the voice mail system or use a lure full of poor spelling and grammar). It informs the recipient that his account has been suspended because it was used to purchase "obscene or certain sexually oriented goods or services." From the e-mail:

"We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of Bank of America's Acceptable Use Policy. Therefore, your account has been temporarily limited for: hotjasmin.com cam shows. In order to remove the limit please call our TOLL FREE number [omitted]." That domain is registered to a guy in the Netherlands, but it's currently inactive.

I recorded a short snippet of the first 45 seconds or so of the automated phone message used in this attack. If the you enter the requested information, the voice then asks for your bank PIN: "Bank of America asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities."

Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number, a key piece of your personal data. It's also a good idea to be very suspicious of e-mails that ask you to call any number. When in doubt, open up a browser Window and find the official Web site of your financial institution, then look up the customer-service number listed there.

[Security Fix]

C-SPAN Unchains Congressional Hearing Videos.

Thu, 08 Mar 2007 21:56:27 GMT

C-SPAN Unchains Congressional Hearing Videos.

C-SPAN has announced that, effective immediately, its videos of Congressional hearings, White House briefings, and other federal events will be freely available for noncommercial copying, sharing and posting, so long as attribution is included (sounds like the Creative Commons by-nc license, but no confirmation on whether that's what they are using). According to the C-SPAN press release, the move recognizes that we're in "an age of explosive growth of video file sharers, bloggers and online citizen journalists."

This is fantastic news! A considerable helping of the credit belongs to Carl Malamud, who responded to a copyright kerfuffle involving House Speaker Nanci Pelosi's use of C-SPAN hearing footage by writing an open letter to C-SPAN's CEO Brian Lamb challenging him to open up the archives to enable these kinds of public uses of C-SPAN content. Several meetings later, it appears C-SPAN decided to rise to the challenge.

Kudos to Carl, and kudos to C-SPAN. This is an amazing bit of public service all around. (Full disclosure: EFF represented Carl in connection with this issue, but we hardly lifted a finger -- all credit goes to Carl.)

[EFF: Deep Links]

Editor: Hmm maybe I'll have to consider making some snippets available in the future. A lot of hearings are dry, but every once in a while you get a real gem.

Cuban gets stuck into YouTube, demands it squeals.

Thu, 08 Mar 2007 21:47:54 GMT

Cuban gets stuck into YouTube, demands it squeals.

'Talk, morons'

Attention-seeking tech billionaire Mark Cuban has set the legal dogs on YouTube, demanding it snitch on users who uploaded video which one of his investments owns the rights to.

[The Register - Music and Media]

WGA Reports Back To MS Even If You Choose Not To Install - Aviran's Place

Wed, 07 Mar 2007 17:06:01 GMT

Heise online reports on a very interesting action Microsoft is taking during the installation of WGA.

When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send your info and the fact that you choose not to install WGA back to their servers.

In addition to that it seems that the setup program send some information stored in your registry to http://genuine.microsoft.com/. While it does not specifically identify the user, it looks like it does send some identification of your computer and Windows version (see picture) to Microsoft servers.

Microsoft WGA Phones Home Even When Told No.

Wed, 07 Mar 2007 17:00:00 GMT

Microsoft WGA Phones Home Even When Told No. Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers." [Slashdot]

Wal-Mart fires technician who recorded phone calls

Wed, 07 Mar 2007 15:52:20 GMT

March 05, 2007 (Reuters) -- CHICAGO - Wal-Mart Stores Inc. said today it fired a systems technician for intercepting text messages of people who were not Wal-Mart employees and for recording telephone conversations with a New York Times reporter without authorization.

Wal-Mart, the world's largest retailer, said an internal investigation found the technician had monitored and recorded phone calls between Wal-Mart public relations employees and a New York Times Co. reporter between September and January.

The Bentonville, Ark.-based retailer also said the technician, who worked in its information systems division, intercepted and stored text messages that contained certain key words, including those sent by people in the Bentonville area who were not Wal-Mart employees.

Wal-Mart spokeswoman Mona Williams said on a call with reporters that the technician "did this on his own."

While interviews with the technician gave the retailer an idea as to why he recorded the calls, Williams said she could not disclose the reasons because the case has been turned over to federal investigators.

Spying at Wal*Mart: Human nature run amuck?

Wed, 07 Mar 2007 15:46:37 GMT

Spying at Wal*Mart: Human nature run amuck? Does the Wal-Mart eavesdropping debacle have the potential to be this year's HP scandal? A former IT security staffer for the retailer evaluates what might have happened. [Computerworld Privacy News]

Mass. motor vehicle registry warns of spoof site.

Wed, 07 Mar 2007 15:44:41 GMT

Mass. motor vehicle registry warns of spoof site. The Massachusetts Registry of Motor Vehicles is warning customers about an online scam intended to trick them out of their credit card information and their money. [Computerworld Privacy News]

Crack! Security expert hacks RFID in UK passport.

Wed, 07 Mar 2007 15:41:33 GMT

Crack! Security expert hacks RFID in UK passport. The British government says that forgery of their new biometric passports is inconceivable, but a security expert has demonstrated a successful crack of the embedded RFID chip and its info. And he did it without taking the document out of its mailing envelope. [Computerworld Privacy News]

Your Wi-Fi can tell people a lot about you | CNET News.com

Wed, 07 Mar 2007 02:20:57 GMT

ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell people sniffing wireless network traffic a lot about your computer--and about you.

Soon after a computer powers up, it starts looking for wireless networks and network services. Even if the wireless hardware is then shut-off, a snoop may already have caught interesting data. Much more information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security.

"You're leaking all kinds of information that an attacker can use," David Maynor, chief technology officer at Errata Security, said Thursday in a presentation at the Black Hat DC event here. "If the government was taking this information from you, people would be up in arms. Yet you're leaking this voluntarily using your laptop at the airport."

There are many tools that let anyone listen in on wireless network traffic. These tools can capture information such as usernames and passwords for e-mail accounts and instant message tools as well as data entered into unsecured Web sites. At the annual Defcon hacker gathering, a "wall of sheep" always lists captured log-in credentials.

Errata has developed another network sniffer that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more.

A Network Sniffer On Steroids.

Wed, 07 Mar 2007 02:14:20 GMT

A Network Sniffer On Steroids. QuantumCrypto writes "Errata has developed a new network sniffer, dubbed 'Ferret,' that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more. 'You don't realize how much you're making public, so I wrote a tool that tells you,' said Robert Graham, Errata's chief executive. Errata has released the source code to this version 1.0, 'feature-poor and buggy' tool on its site. Anyone with a wireless card will be able to run it, Graham said." [Slashdot: Your Rights Online]

Cybercrime Treaty: What it Means to You

Wed, 07 Mar 2007 01:53:57 GMT

In that vein, in August the Senate ratified the Convention on Cybercrime, drafted by the Council of Europe with considerable input from the United States. So far, 43 nations have signed on. The Convention includes many sensible provisions aimed at unifying global computer-crime laws, and closes loopholes that make it possible for criminals to escape prosecution by locating their activities offshore.

But civil libertarians, along with leading telecommunications companies, strongly oppose the treaty. Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located. If France is investigating a sale of Nazi memorabilia on eBay, the U.S. must cooperate, even though such transactions are not illegal in the U.S.

Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind.

These are potentially serious problems, especially given that the Convention is open to any country that wants to join. But there are more practical reasons U.S. businesses should be concerned. The provisions for data retention and production apply to any operator of a computer network, not just telecoms. Worse, Article 12 attaches liability to businesses for "lack of supervision or control" of employees who commit criminal offenses covered by the Convention. Businesses must worry about employee activities that may be legal here, but illegal elsewhere, risking administrative, civil, or even criminal penalties.

These investigative and supervision costs will invariably be imposed on businesses without any real controls. Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you.

Cybercrime Treaty ó Hidden Costs For All.

Wed, 07 Mar 2007 01:48:08 GMT

Cybercrime Treaty [~] Hidden Costs For All. linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you." [Slashdot: Your Rights Online]

Action Alert: Repeal the REAL ID Act!

Wed, 07 Mar 2007 01:24:48 GMT

Action Alert: Repeal the REAL ID Act!

The federal government has taken another step towards forcing you to carry a national ID in order to get on airplanes, open a bank account, enter federal buildings, and much more. But with state legislatures and Congressional representatives increasingly turning against the REAL ID Act, you can help stop this costly, privacy-invasive mandate -- voice your opposition now.

On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information.

REAL ID won't just cost you your privacy. The states and individual taxpayers bear the estimated 23 billion dollar burden of implementing the law, and that figure is probably low given that the necessary verification systems don't exist yet.

And what will you get in return? Not improved national security, because IDs do little to stop those who haven't already been identified as threats, and wrongdoers will still be able to create fake documents.

REAL ID is fundamentally flawed, and DHS' proposed regulations do nothing to change that. Thankfully, the tide is turning against REAL ID in a big way -- state legislatures around the country are passing or considering legislation rejecting its implementation, and Congress is considering repealing it.

The DHS regulations mean that states must have an implementation plan ready by October 2007. Make sure your Congressional representatives support the repeal of REAL ID before it's too late.

For more information, check out San Jose Mercury News' recent editorial opposing REAL ID as well as the ACLU's Realnightmare.org.

[EFF: Deep Links]

Anti-terror tests broke law, says watchdog - 03/01/07 - Tennessean.com

Tue, 06 Mar 2007 16:13:09 GMT

The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations.

The new program, similar to a Pentagon program that Congress killed in 2003 over concerns about civil liberties, could take effect as soon as next year.

But system testers probably already have violated privacy laws by reviewing real information, instead of fake data, a source familiar with a congressional investigation into the $42.5 million program told The Washington Post.

The program, called Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information and extract suspicious people, places and other elements based on their links and behavioral patterns.

The privacy violation is described in a Government Accountability Office report due out soon. "Undoubtedly there are likely to be more," GAO Comptroller David Walker said recently.

Apple Patches QuickTime Holes.

Tue, 06 Mar 2007 16:04:12 GMT

Apple Patches QuickTime Holes.

Apple on Monday issued security patches to plug multiple security holes in its QuickTime media player software. The new version of the player -- QuickTime 7.1.5 -- fixes at least eight separate and serious vulnerabilities.

Updates are available for Mac OS X, Windows 2000, Windows XP and Windows Vista versions. Mac users can get the latest version either from Apple's site or via the built-in Software Update feature. Windows users with recent versions of QuickTime installed will already have Apple's Software Update program and should use that to get this latest version. Alternatively, Windows users can download it by following this link.

[Security Fix]

Tonight(Tuesday) on Nightline - The NSA at AT&T

Tue, 06 Mar 2007 15:55:07 GMT

Tonight(Tuesday) on Nightline is an episode on the NSA having a monitoring station in the AT&T wire room. They have the guy who originally broke the story being interviewed tonight.

Texas counties illegally posting Social Security numbers online, AG says.

Mon, 05 Mar 2007 20:38:14 GMT

Texas counties illegally posting Social Security numbers online, AG says. Texas Attorney General Greg Abbot has ruled that the posting of sensitive data online by county and district clerks is illegal. But the clerks are fighting back by pushing for a state law that would allow them to continue to do so. [Computerworld Privacy News]

F2C: Freedom to Connect being webcast starting March 5

Mon, 05 Mar 2007 19:57:29 GMT

F2C is a meeting of people engaged with Internet connectivity and all that it enables, including vendors, customers, regulators, legislators, analysts, financiers, citizens and co-creators. This year, the theme of F2C is how universal connectivity and the plunging capital requirements of information production are changing our fundamental economic and social assumptions. (F2C is produced by David S. Isenberg of isen.com, LLC.)

Tune into F2C Group Chat beginning about 8:30AM, Monday 5 March

F2C Webcast available for those who can't be there. (Please participate in Group Chat too.)

The Pentagon Wants a 'TiVo' to Watch You.

Mon, 05 Mar 2007 02:31:33 GMT

The Pentagon Wants a 'TiVo' to Watch You. An anonymous reader writes "Danger Room, a Wired blog, today cites a study of future electronic snooping technologies from Reuters, written by the Pentagon's Defense Science Board. More than anything, it seems these outside advisers want a surveillance system that would put Big Brother to shame, and they're looking at the commercial sector to provide it. 'The ability to record terabyte and larger databases will provide an omnipresent knowledge of the present and the past that can be used to rewind battle space observations in TiVo-like fashion and to run recorded time backwards to help identify and locate even low-level enemy forces. For example, after a car bomb detonates, one would have the ability to play high-resolution data backward in time to follows the vehicle back to the source, and then use that knowledge to focus collection and gain additional information by organizing and searching through archived data.'" [Slashdot]

Month of PHP Bugs Has Begun.

Mon, 05 Mar 2007 02:01:57 GMT

Month of PHP Bugs Has Begun. An anonymous reader writes "The previously announced Month of PHP Bugs started three days ago, and already lists 8 security vulnerabilities in PHP and PHP related software. From the site: 'This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability management process used by the PHP Security Response Team.'" [Slashdot]

Concurring Opinions: The Rise of Customer Blacklists

Sun, 04 Mar 2007 03:55:39 GMT

Blacklists appear to be the rage these days. With the ease of storing and sharing personal information -- coupled with lax privacy law restrictions on such activities -- companies can increasingly create blacklists of bad customers. In this article from the Ottawa Citizen, hotels in Australia and Canada (and soon the United States) are signing up for a service that compiles a blacklist against "bad" hotel guests:

Hartford Courant - Best Buy Confirms It Has Secret Website

Sun, 04 Mar 2007 03:26:10 GMT

Under pressure from state investigators, Best Buy is now confirming my reporting that its stores have a secret intranet site that has been used to block some consumers from getting cheaper prices advertised on BestBuy.com.

Company spokesman Justin Barber, who in early February denied the existence of the internal website that could be accessed only by employees, says his company is "cooperating fully" with the state attorney general's investigation.

Barber insists that the company never intended to mislead customers.

State Attorney General Richard Blumenthal ordered the investigation into Best Buy's practices on Feb. 9 after my column disclosed the website and showed how employees at two Connecticut stores used it to deny customers a $150 discount on a computer advertised on BestBuy.com.

Blumenthal said Wednesday that Best Buy has also confirmed to his office the existence of the intranet site, but has so far failed to give clear answers about its purpose and use.

"Their responses seem to raise as many questions as they answer," Blumenthal said in an interview. "Their answers are less than crystal clear."

Canadian Gov't Grants Olympics Ownership of Winter.

Sun, 04 Mar 2007 03:17:34 GMT

Canadian Gov't Grants Olympics Ownership of Winter. An anonymous reader writes "Michael Geist reports that the Canadian government has introduced new legislation that grants Vancouver Olympic organizers broad powers to police the use of any commercial use of the words associated with the Olympics. These incredibly include 'winter, Vancouver, and games.' As Geist notes, the government 'has no time to deal with spam, spyware, privacy, or net neutrality, but commits to legislation on behalf of the organizers of a sporting event?'" [Slashdot: Your Rights Online]

Justice Department takes aim at image-sharing sites | CNET News.com

Sun, 04 Mar 2007 03:12:46 GMT

The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET News.com has learned.

That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to News.com by several people who attended the meeting.

A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of which customer is assigned a specific Internet address.

Only universities and libraries would be excluded, one participant said. "There's a PR concern with including the libraries, so we're not going to include them," the participant quoted the Justice Department as saying. "We know we're going to get a pushback, so we're not going to do that."

Attorney General Alberto Gonzales has been lobbying Congress for mandatory data retention, calling it a "national problem that requires federal legislation." Gonzales has convened earlier private meetings to pressure industry representatives. And last month, Republicans introduced a mandatory data retention bill in the U.S. House of Representatives that would let the attorney general dictate what must be stored and for how long.

DoJ Mulls Tracking Picture Uploads.

Sun, 04 Mar 2007 02:57:23 GMT

DoJ Mulls Tracking Picture Uploads. Dominus Suus passed us a link to a C|Net article about a disturbing threat to privacy from the Justice Department. According to the article, a private meeting was held Wednesday between Justice officials and telecom industry representatives. With individuals from companies such as AOL and Comcast looking on, the officials continued overtures to increase data retention by ISPs on American citizens. This week, they were specifically looking to have records kept of photo uploads. In this way, and 'in case police determine the content is illegal and choose to investigate,' an easy trail from A to Z will be available. The article provides a good deal of background on the Bush Administration's history with data retention, with ties to events even older than the Bush presidency. --- "The Justice Department's request for information about compliance costs echoes a decade-ago debate over wiretapping digital telephones, which led to the 1994 Communications Assistance for Law Enforcement Act. To reduce opposition by telephone companies, Congress set aside $500 million for reimbursement and the legislation easily cleared both chambers by voice votes. Once Internet providers come up with specific figures, privacy advocates worry, Congress will offer to write a generous check to cover all compliance costs and the process will repeat itself." [Slashdot: Your Rights Online]